The IC3 Recovery and Investigative Development (RaID) Team set up by the U.S. Federal Bureau of Investigations (FBI) is reporting that on average it is now receiving 340,000 complaints per year, including 2,047 complaints in 2019 involving ransomware attacks that resulted in more than $8.9 million in adjusted losses and 23,775 complaints of business email compromise (BEC) / email account compromise (EAC) complaints that resulted in adjusted losses of more than $1.7 billion. Out of those 340,000, complaints, a total of 114,702 involved some form of phishing, vishing, smishing or pharming attack.
It’s hard to say with absolute certainty which form of attack is causing more damage because not every organization reports when they’ve been victimized. However, the 2019 Internet Crime Report from the FBI makes it clear that classic BEC attacks still outnumber ransomware attacks. In fact, BEC attacks are becoming more elaborate.
For example, the FBI reports it is seeing an increase last year in the number of BEC/EAC complaints related to the diversion of payroll funds. In this type of cyberattack, a company receives an email appearing to be from an employee requesting to update their direct deposit information for the current pay period. The new direct deposit information, however, re-routes those funds to a pre-paid card account.
The FBI also reports there’s been an increase last year in tech support fraud, 13,633 complaints being received from victims in no less than 48 countries. The losses amounted to over $54 million, which represents a 40 percent increase in losses from 2018.The FBI reports there’s been an increase last year in tech support fraud, 13,633 complaints being received from victims in no less than 48 countries.Click To Tweet
In terms of locations where these complaints are being filed, The FBI revealed that California tops the list with more than 30,000 complaints, followed by Texas, Florida, and Ohio
The good news is the FBI appears to be getting better at capturing the perpetrators. For example, the FBI was able to help one organization recover a $190,000 that had been wired on two separate occasions for invoice payments and a successful prosecution. The FBI also received a complaint involving a BEC incident for $138,000, where the victim received an email that resulted in funds being wired to a fraudulent bank account in Florida. When the perpetrator attempted to withdraw funds, a bank employee requested documents to support the receipt of the wire. When the account holder was unable to provide legitimate documentation, the bank alerted local law enforcement and the account holder was arrested by the Fort Lauderdale Police Department.
In a similar vein, the FBI also invested three individuals engaged in SIM Swapping, social engineering, online account takeovers, cryptocurrency theft, online threats, extortion, celebrity account hacking, SWATing, and Doxxing. The arrest of a SIM SWAPPING group leader which led to the seizures of over $18 million, five vehicles, a $900,000 home, and hundreds of thousands of dollars in jewelry. The SIM SWAPPING scheme had targeted hundreds of victims, compromised hundreds of cryptocurrency accounts, and caused approximately $40 million in losses, according to the FBI.
Of course, a lot more cybercriminals are still profiting from these schemes than there are those getting caught. It’s the rank and file cybersecurity professionals that are effectively the first line of defense. The only difference between the FBI and cybersecurity professionals, of course, is only one of them has the authority to actually arrest someone.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.